New Security Rules for Organizations Supplying Software to the Federal Government
The U.S. Office of Budget and Management ("OMB") has announced new security requirements for organizations that provide software or products containing software to the federal government.
The OMB has issued memorandum M-22-18 with new security requirements (the "Rules") requiring federal agencies to ensure that all third-party software they use complies with secure software development standards and guidance issued by the National Institute of Standards and Technology ("NIST"). The OMB is issuing this mandate as required under President Biden's Executive Order on Improving the Nation's Cybersecurity.
The Rules, which are intended to secure the U.S. federal government's software supply chain, are a component of both the federal cybersecurity and secure supply chain efforts. They will require software developers to self-attest compliance with NIST's guidance on secure software development. Federal government contractors and subcontractors providing software and products containing software under federal procurement contracts should expect to be required to comply with the new security rules.
The Significance of the Rules
The Rules will require software developers to assess and confirm that their development practices adhere to NIST's guidance as regularly updated and contained in the Secure Software Development Framework (NIST Special Publication 800-218) and Software Supply Chain Security Guidance. Generally speaking, the documents contain practical guidance and frameworks that developers can employ to enhance the security of their software. Ultimately, the guidance encourages developers to employ a risk-based approach to software development that is tailored to their particular software and development environments.
The broad definition of "software" used by OMB in the Rules means many organizations doing business with the U.S. federal government will be implicated. For example, software includes "firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software." Under this definition, all products that contain any software would likely be subject to this self-attestation. In certain cases where an organization does not itself develop the underlying software—e.g., a basic open source library—a third-party assessment of the software may be used instead of a self-attestation.
Aggressive Timelines Require Prompt Compliance
Federal agencies are required to collect attestations from software developers within 365 days from September 14, 2022. For "critical software," the timeline is slashed to 270 days. Agencies can request waivers for certain software, but "only in the case of exceptional circumstances and for a limited duration." OMB also has set aggressive deadlines for relevant federal agencies to create standardized attestation forms.
Federal agencies are required to seek attestations for software they currently use and will use in the future. Absent a waiver, noncompliance may mean developers risk not being able to provide their software to the federal government. Defense contractors can expect the Rules to be incorporated into, or added to, the evolving U.S. Department of Defense Cybersecurity Maturity Model Certification requirements, and more immediately as a baseline within the requirement for "adequate security" under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. Contractors doing business with federal civilian agencies should anticipate that the Rules will be implemented under Federal Acquisition Regulation (FAR) 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, as "other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally."
Also, a false attestation may open up the company to liability under the False Claims Act. Under its Civil Cyber-Fraud Initiative, the Department of Justice has shown its willingness to prosecute government contractors, subcontractors, and grant recipients that misrepresent or fail to comply with the federal government's cybersecurity requirements.
Organizations should start evaluating whether their software development practices conform to NIST's standards and guidance and move toward compliance.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.